testsAndMisc/linux_configuration/scripts/periodic_background/hosts/guard/plugins/nsswitch-plugin.sh
Krzysztof kuhy Rudnicki 66c4698194
Some checks are pending
Pre-commit checks / pre-commit (push) Waiting to run
feat: migrate hosts-guard and shutdown-schedule-guard to guard-lib
Replaces the bespoke chattr/bind-mount/systemd-watcher implementations for
/etc/hosts and /etc/shutdown-schedule.conf with the new shared guard-lib
(~/guard-lib, guardctl), so screen-locker and steam-backlog-enforcer's new
block-gaming feature stop maintaining parallel copies of the same
tamper-resistance mechanism.

- pacman_wrapper.sh: pre/post hook fallbacks now call guard-lib's generic
  unlock-all/relock-all scripts (covers every registered guard instance,
  not just /etc/hosts)
- setup_midnight_shutdown.sh: installs/updates its guarded config via
  guardctl file-guard instead of hand-rolled chattr + systemd unit
  generation; the schedule ratchet logic (block-if-more-lenient) stays
  bespoke since guardctl's generic unlock can't represent it
- new hosts/guard/plugins/nsswitch-plugin.sh, resolved-plugin.sh

Also fixes, at user's request even though pre-existing: 3 shellcheck
SC2329 false positives in pacman_wrapper.sh (functions invoked indirectly
by name, not actually dead) and 1 SC2001 style warning (echo|sed VM-name
extraction replaced with parameter expansion, verified equivalent output).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AFNiYQQgSLAkiBXswyimPq
2026-07-04 11:54:08 +02:00

39 lines
1.3 KiB
Bash
Executable File

#!/bin/bash
# guard-lib plugin for the "nsswitch" file-guard instance.
# Ensures /etc/nsswitch.conf's "hosts:" line always contains "files"
# before "dns", preventing bypass of /etc/hosts blocking. Translated from
# the pre-guard-lib enforce-nsswitch.sh - see that file's git history for
# the original standalone version.
validate() {
local file="$1"
local line
line="$(grep '^hosts:' "$file" 2>/dev/null || true)"
[[ -n "$line" ]] || return 1
echo "$line" | grep -qw "files" || return 1
if echo "$line" | grep -qw "dns"; then
local files_pos dns_pos
files_pos=$(echo "$line" | grep -bo '\bfiles\b' | head -1 | cut -d: -f1)
dns_pos=$(echo "$line" | grep -bo '\bdns\b' | head -1 | cut -d: -f1)
if [[ -n "$files_pos" && -n "$dns_pos" && "$files_pos" -gt "$dns_pos" ]]; then
return 1
fi
fi
return 0
}
# Only called when no canonical copy exists yet to restore from instead.
emergency_fix() {
chattr -i "$TARGET" 2>/dev/null || true
if grep -q '^hosts:.*dns' "$TARGET"; then
sed -i 's/^hosts:\(.*\)dns/hosts:\1files dns/' "$TARGET"
elif grep -q '^hosts:.*resolve' "$TARGET"; then
sed -i 's/^hosts:\(.*\)resolve/hosts: files\1resolve/' "$TARGET"
else
sed -i 's/^hosts:/hosts: files/' "$TARGET"
fi
}